PoS + double spend


I am trying to understand PPC better. So I looked at some calculations for the probability of a double spend.
In posts like these: https://bitcointalk.org/index.php?topic=102342.40 or http://www.peercointalk.org/index.php?topic=591.msg14845 people are making the following assumption:

Suppose the attacker has enough coinage to win each of the next k blocks with a probability p. Then the probability that his new chain, reorganising k blocks, will be accepted is p^k. -Here we suppose the attacker is just minting on a single parallel chain.-

Why exactly should this be true? If I understand PoS right, the parallel chain will be accepted if the accumulated coinage spend in this parallel chain is higher than the accumulated coinage of the original chain. So there is no need for the attack that every created block of the parallel chain must have a higher coinage than the block of original chain.

Simple example: Suppose you have the same amount of coinage available for each of the next k blocks as the public minting process. And suppose you are minting parallel. Of course the probability that your parallel chain has more accumulated coindays than original chain is 50% and not 50%^k.

Could it be, that p^k is just an estimate of the real probability of reorganisation of blockchain - which has to be calculated with the Poisson distribution - and this estimate holds just for p<<0.5?

Minting is a random process. There is no guarantee that you will get the next block no matter how many coin age you have unless there is only yourself in the network. So you have to actually get 6 blocks first, which has p^6 chance.

but what happens, if the attacker mines k blocks secretly in his private network and then release them later.

MUTO described such an scenario explicitly.

As sigmike elaborates, just two problems arise.

-The attacker must find the last block in public.
-If the main chain finds blocks as well,as it is expected, the attacker can exclude them from his parallel chain. But then, the accumulated coinage of the parallel chain needs to be bigger than the accumulated coinage of main chain.

I think it would be easy for an attacker to overcome these problems, if he has enough coinage.

Using such an attack scenario, the possibility of success would not decrease exponentially -like p^k, right?

Please convince me that I am wrong. I love peercoin so much.

The network is getting hammered by minters every single second. Even small coin-age minters BEAT large coin-age minters on successfully minting a blocks at random. This is a luck game. Not a logical game, there is never a clear winner on the next block.[/quote]

He was saying growing the chain without broadcasting the blocks. There is no competition in this chain before it is broadcasted.

In this case I think OP should follow up MUTO’s thread. Incidentally I forgot that thread. Now that I am reminded of it, I think I will go back and ask some questions there.

The probability of solving just two consecutive PoS blocks against the whole network on a regular is exponentially high to close to near impossible

This is not accurate. It happens every several hours http://www.peercointalk.org/index.php?topic=2731.0


[quote=“ppcman”][quote=“mhps, post:4, topic:2297”]

The probability of solving just two consecutive PoS blocks against the whole network on a regular [basis] is exponentially high to close to near impossible

This is not accurate. It happens every several hours http://www.peercointalk.org/index.php?topic=2731.0[/quote]

Ahh, so solving two consecutive PoS blocks against the whole network on a regular basis is very easy to do then? Ok, so how do we use this to double spend our coins?[/quote]

Did you read the rest of the post?

At two confirmations, it’s not possible, but that’s not what mphs was alluding to; his response, backed by hard data from the block chain, showed that it is possible to routinely solve two stake blocks in a row today, contrary to your definitive statement of the low probability of the event occurring.

What we don’t know is if this address, which already has concentrated significant minting power, also controls (or influences) other addresses of significant minting power

This is not intended to be fear-mongering – I believe the network is safe and protected, but much like the mathematics that govern the cryptographic underpinnings of Peercoin, data-supported proofs of this security are needed.

Once the first network graphs are finalized, in the near future, we’ll be able to see how addresses such as this one relate to the larger Peercoin ecosystem, and identify where points of stability and threat exist.

Thanks Ben for your response.

(I’ve removed my posts that did not contain 100% accurate information, my apologies.)

No biggie. Peercoin is still a baby. We all try to get our head around it as it grows. :slight_smile:

I agree with Ben that so far the network is (likely) quite secure. Most big stake holders are perhaps believers (they really should be minting for their own good). It’s important that we are able to datamine the blockchain and spot dodgy behaviors. For that we need to think of possbile attack angles.

This is not true. Since v0.2 release, the sum of proof-of-stake difficulty determines which branch becomes the main chain. This in a way similar to bitcoin and provides very strong double-spending protection, that is, if attacker’s resource is below the threshold to take over the entire network, then double-spending becomes exponentially more difficult as the number of confirmations increases.

Hey Sunny,

I am feeling terrible to challenge your great work with peercoin.

But could you specify your threshold mentioned? If an attacker has 50 000 PPC and accumulates their coinage for 90 days, would he be above this threshold?